Malware‑as‑a‑Service Kit Enables Full Android Device Takeover (BTMOB RAT)
What Happened – A new Android Remote Access Trojan (RAT) called BTMOB is sold as a point‑and‑click kit. For a $5,000 lifetime license, buyers receive an integrated APK builder that creates malicious apps, custom phishing lures, and region‑specific campaigns without writing code. The payload abuses Android Accessibility Services to gain elevated permissions, exfiltrate data, capture screens, and give attackers remote control.
Why It Matters for TPRM –
- The MaaS model lowers the technical barrier, expanding the pool of potential threat actors that could target your employees’ mobile devices.
- Compromised Android devices can be leveraged to steal corporate credentials, access VPN clients, and exfiltrate sensitive business data.
- The kit’s rapid localization means any organization with a global mobile workforce is at risk of targeted phishing campaigns.
Who Is Affected –
- All industries with a mobile workforce (finance, healthcare, retail, technology, etc.).
- Vendors providing Android‑based applications, mobile device management (MDM) solutions, and endpoint security services.
Recommended Actions –
- Review and tighten mobile security policies, especially regarding app installation from unknown sources.
- Enforce strict controls on Android Accessibility Services and require MDM enforcement of app whitelisting.
- Conduct phishing awareness training focused on malicious app downloads and fake app stores.
- Verify that third‑party vendors handling mobile devices have robust detection and response capabilities for RAT activity.
Technical Notes –
- Attack Vector: Phishing messages that redirect victims to a counterfeit app store, followed by automatic exploitation of Android Accessibility Services.
- Capabilities: Full device takeover, screen capture, audio recording, data exfiltration, remote command execution.
- Business Model: Malware‑as‑a‑Service (MaaS) with a $5,000 lifetime license plus monthly support; sold via Telegram, X, and Instagram.
- Related Malware: Evolves from SpySolr (early 2025).
Source: Security Affairs